The Design And Realization Of Mobile Agent Based Distributed Network Intrusion Detection System

With the rapid development of network, internet has been widelyused in many fields such as commerce, politics and military. Thoughit makes life facilitated, the openness and sharing of internet is abig challenge for information security and intrusion detectiontechnology emerges as the result of it. This technology is a key partof P2DR dynamic security model and regarded as the second safe gatebehind the firewall. It can detect and protect the network to theinterior and exterior attack and false operation in real time withoutinterfering the network performance. The traditional concentric IDS based on a single machine can'tsatisfy the security needs with the popularity of distributionenvironment, the huge storage and high bandwidth transfer technology.With the increasing development of hackers especially the distributeddetecting service attack (DDoS), distributed intrusion detection (DID)has been the emphasis of intrusion detection even the overall networksecurity. This paper presents the situation of network security, a seriesof problems and introduces the future development home and abroad. Thenit studies the Mobile Agent (MA) technology and its application inintrusion detection. This paper analysis the existing intrusiondetection technology including the advantageous and disadvantageouscompares the characteristics of existing hierarchy and collaborationmodel especially those proto systems that are still in lab and maturestandard. This paper presents a novel detection model that is acombination of hierarchy and collaboration based on MA in thedistributed network environment. It gives some correction based on MAcollaboration mechanism and the safety of detection system. This papergives the experiment on the Aglet platform of IBM in java last.This model possesses two detecting capabilities that are based onthe host and the network respectively. It comprises of four partsincluding MA environment, coordination and control centre, agentlibrary, data information and pattern library. The agent libraryincludes data sampling agent, intrusion detection agent, protectingagent and the collaboration agent. The data sampling agent is in chargeof the network information sampling, the logs sampling of host systemand the applications. The intrusion detection agent comprises of manyanalysis agents based on different detection technologies. Thecollaboration agent aims to coordinate many agents and improves thedetecting liability and accuracy of the system.This paper introduces the Jpcap developing kits with its mainclasses and interfaces in the system realization, realizing thenetwork information sampling agent in Windows. It presents theexisting network protocols and analysis methods, describes theprocedure and strategies of the pattern matching. It gives an improvedmeasure to the securities of MA and detecting system based on MA last.The characteristics of this model compares with the traditionalone is as following:1. High real-time quality: it lies in the real-time detection andresponse and so on. MA can effectively eliminate the network delay anddetect the intrusion of any kind quickly so that it has high real-timequality to the system and diminishes the losses.2. High anti-damage quality: the system can effectively avoid theattack, improve the defense ability and it has very high anti-damagecapability because of the duplicating and moving abilities. All theagents are independent and the model is robust because when one agentis invalid it can not influence the others so that the problem of singlepoint invalidation can be diminished.3. Good collaboration quality: the system adopts different agentsaccording to the different characteristics and environment of systemand networks, and the collaboration mechanism goes well.4. Improving in system security: the security is an important inintrusion detection system. While the moving Agent can provide highquality communication mechanism and it declines this potential danger.5. Good extension quality: the detectable attack types can beextended by adding the intrusion detection agents. Minuscule changeswill be made to the changes of the network topology without disturbingthe running of system.6. Integration of different detecting technologies: the system hasvarious detecting abilities according to different attacks coming frominterior and exterior. The data source of detecting agent and theanalysis are various in this model, and many detecting measures areadopted.7. Platform independent: the system is independent of platformsbecause the Agent is written in Java language, which is independentof platform. The components can be decomposed and deployed arbitraryand the changes of local point can't influence the system.The distribution intrusion detecting system based on moving Agentneeds to be studied and developed. Improving the system efficiency andstudying the choosing mechanism to the static and moving agent,increasing more detecting technologies to the system so that the systemperformance and accuracy can be improved. There are still many worksto do in constructing an ideal, intelligent and adaptive managementsystem.